APT31, a Chinese-affiliated hacker group, cloned and used the National Security Agency (NSA) spyware code. According to the Israeli cybersecurity intelligence company, Check Point, the group used the hacking tool to develop more sophisticated spyware. Researchers have also released evidence revealing APT31 being the culprit of the hack.
Most of the reports presented showed that APT31 hackers – also known as Zirconium – stole the NSA’s Tailored Access Operation unit code. The malware used – dubbed ‘Jian’ – resembled the 2017 spyware, but it was more sophisticated. Hackers then used the spyware to leak a series of national cyberweapons that stained NSA’s public reputation (“Shadow Brokers” leak).
The attack version exploited CVE-2017-0005, a zero-day-based malware commonly used by APT31 attacks. They accessed the EpMe’s specifics over two years ago before NSA’s PRISM program leaks were first revealed. Besides, similar leaks occurred several times in 2014 and 2015. The same flaws were linked to the other three privilege escalations hacks on Windows – with two using 0-days.
Microsoft fixed the CVE-2017-0005
Following numerous hacks of the CVE-2017-0005, the American-affiliated version posed a threat to most companies. Microsoft experienced the same hack on Windows but prevented a significant leak. That is, the software giant fixed the attack ‘silently’ before it occurred.
Microsoft received an anonymous tip from Lockheed Martin’s Computer Incident Response Team in 2017 regarding the hack. In turn, hackers never managed to assign a CVE-ID to patch the hack.
If the Equation Group – the NSA’s Tailored Access Operation’s unit – had shared the info with Microsoft, they would have prevented the attack. Meaning the NSA focused on surveillance than considering national security a priority.
More researches reveal further leaks in the NSA
Several reports show that NSA might have lost control over its spyware years ago. Before its cyber weapons, the “Shadow Brokers” leak became public. In May 2019, Symantec released a report highlighting Windows zero-day attack. It stated that the leak extended to Equation Group in the 2016 hack.
Check Point’s research also revealed multiple reports about attacks that were unheard of. It discussed several hacks that connected to the cloned NSA’s malware.
Kaspersky’s researcher Costin Raiu acknowledged Check Point’s report stating it’s legit. He added that the findings are acceptable under the Infosec community. Yet, NSA’s damages caused by the APT31 group seem irreversible. Meanwhile, Check Point’s research gives great reminders and lessons to learn from NSA attacks.
APT31; one of the world’s most advanced hacker group
APT31 became active back in 2001 (perhaps even earlier) and seemed to have significant ties with NSA’s Tailored Access Operations. It has both American-affiliated and Chinese-affiliated versions – with both exploiting CVE-2017-0005.
CVE-2017-0005 is a Windows privilege escalation vulnerability widely linked to the group. Since its inception, APT31 used its version until 2015, where Microsoft patched it in 2017. The network was a US-based version, with researchers claiming it was solely designed as an Equation Group tool.
However, APT31 used spyware against the NSA, which readily bypasses various security tools. The group continued to target the same vulnerability over the years until it was caught. Experts affirm that there exists a difference between EpMe and Jian in terms of coding.
In the attack, it is believed the group used the Jian since they didn’t have the EpMe’s source code. Thus, they reverse-engineered the tool to access EpMe. But a single mistake done by the group made Lockheed Martin detect their activities.